The reason is simple: the bad guys continue to claim countless victims daily, many of whom pay the ransom because they feel they have no choice.

SOURCE Boston 2017

Andrew Hay, co-founder and CTO of LEO Cyber Security, will give a talk today at 1:15 pm ET called “The Not-So-Improbable Future of Ransomware”. It’s a subject he’s spent a lot of time on. During RSA, he helped run a day-long seminar on it.

Sophos Home

During today’s presentation, he’ll outline the evolving parallels between ransomware and traditional kidnap and ransom tactics (K&R) and doctrine:

As a perpetual student of history, I immediately noticed similarities between K&R and ransomware methodologies and the rate at which common tactics were appearing in ransomware campaigns. Ransomware campaign operators are simply taking what has worked before and applied it to the computerized world.

Perhaps the biggest difference is the anonymity afforded to ransomware campaign operators through the use of cryptocurrencies, anonymized communication services, and a target-rich, internet-using population, he said. SOURCE Boston will have a ransomware panel on Thursday moderated by Paul Roberts, editor-in-chief and founder of Security Ledger.

Old but persistent

Ransomware is indeed an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. Some might expect that most people are well aware of the threat by now and that they’re taking the appropriate precautions. It’s therefore reasonable to assume that online thieves have moved on to new tactics.

Unfortunately, that’s hardly the case. Naked Security has continuously followed cases of individuals and companies falling victim to it. Most recent examples include:

Mole, ransomware that has caused enough concern to spark an advisory from CareCERT, the cybersecurity initiative set up for the UK’s National Health Service (NHS).

A spam campaign where ransomware is downloaded and run by a macro hidden inside a Word document that is in turn nested within a PDF, like a Russian matryoshka doll. The ransomware in this case appears to be a variant of Locky.

Defensive measures

First, some things people can do to better protect themselves from this sort of thing:

Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.

Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.

Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.